Koda Platform Exposed: Auth Cookie Lacks Secure/SameSite Attributes, Enabling Token Theft via XSS

A critical security misconfiguration in the Koda platform's authentication system leaves user sessions vulnerable to hijacking. The platform's JWT authentication cookie is created with default, insecure options, failing to enforce the `secure` and `sameSite` attributes. This oversight means the sensitive token is transmitted over unencrypted HTTP connections and is not protected against cross-site request forgery attacks, creating a direct path for attackers to steal credentials.

The vulnerability is located in the `useAuth.ts` composable file, where the `useCookie` function is called without explicit security parameters. Consequently, the `koda_token` cookie is not marked as `secure`, lacks an explicit `sameSite` policy, and remains accessible to client-side JavaScript. While the `httpOnly` flag is omitted by design—as the client reads the token for API authorization—this trade-off dramatically increases the risk. The core danger is that if any cross-site scripting (XSS) vulnerability exists elsewhere in the application, such as in user-generated content within tickets or comments, an attacker can trivially exfiltrate the authentication token.

This flaw, discovered during a deep web bug scan, represents a systemic application security failure. It places all user accounts and associated data at risk of compromise. The recommended fix is to implement the cookie with `secure: true` and `sameSite: 'strict'` attributes, though the architectural need for client-side token access prevents a fully locked-down solution. The exposure underscores the critical importance of explicit security configurations in authentication flows and highlights how default settings can create exploitable gaps in enterprise software.